Leaked Details of MIT Investigation

The NYT reports details that must come from MIT’s investigation–though the spokesperson insists it’s a review–of its involvement in Aaron Swartz’ arrest and conviction.

There are a few I find of particular interest.

First, MIT claims it learned that Aaron was still downloading JSTOR materials on January 3.

However, on Jan. 3, 2011, according to internal M.I.T. documents obtained by The New York Times, the university was informed that the intruder was back — this time downloading documents very slowly, with a new method of access, so as not to alert the university’s security experts.

Court documents say JSTOR informed MIT about this around Christmas.

The NYT references “a security expert” analyzing MIT’s network.

Early on Jan. 4, at 8:08 a.m., according to Mr. Halsall’s detailed internal timeline of the events, a security expert was able to locate that new method of access precisely — the wiring in a network closet in the basement of Building 16, a nondescript rectangular structure full of classrooms and labs that, like many buildings on campus, is kept unlocked.

This is a detail I’ve long wondered about: who was the expert and what tools did she or he use?

And then there’s the thoroughly unsurprising news that Michael Pickett was with MIT’s head cop when they found Aaron on January 6, 2011.

A little after 2 p.m., according to the government, Mr. Swartz was spotted heading down Massachusetts Avenue within a mile of M.I.T. After being questioned by an M.I.T. police officer, he dropped his bike and ran (according to the M.I.T. timeline, he was stopped by an M.I.T. police captain and Mr. Pickett).

Anyone want to bet they were using some fancy surveillance to find Aaron?

I haven’t been in Cambridge for 40 years, but Mass Ave runs through it into Boston. A mile radius could put that encounter somewhere across the Charles River, and encompass possibly 100,000 people. Many on Mass Ave would be on bicycles (Harvard is (IIRC) about a half mile away, and Central Square , a subway stop, is between them). To “spot” him would require a massive lookout with pictures, and possibly a clothing description.

The MIT Security Roadmap shows an organization well, well behind the curve in basic security infrastructure. This was a policy/idealogical choice, one that seems to have been reversed in 2009/2010, and MIT was playing catch up.

As for catching him on his bike a mile from MIT, it sounds like they tried to get to network closet while he was there and weren’t fast enough. If you’re in your car (like they were) and ask yourself “If we’re going to try and catch up with the fleeing suspect, where do we go?”, up Massachusetts Ave. is your best bet. They got lucky because Aaron took the most obvious “escape route” which is also the direct route to where he was living.

Maybe there was something else going on here, and some sort of advanced surveillance and detection going on. But there’s also a plausible explanation for this to have happened just how they say it did.

@rg: This was January 4th, 2011, the middle of winter, a winter in which we, in Cambridge, were having record snowfall and struggling to find places to put it. There wouldn’t have been a lot of people on bicycles at all, because biking was pretty treacherous.

This picture https://secure.flickr.com/photos/peter_macko/5507424823/ is of Mass Ave, in Harvard Square (a couple of miles from MIT) taken on January 9th shows what the street was like. Those large snowbanks are snow that, at the time, Cambridge had no place to put. And Harvard Square was far better cleared than the rest of Cambridge.

This also explains why Aaron took Mass Ave when leaving MIT: as a main route, it was better cleared than any of the backstreets.

@rg: After only a moment’s reflection and before seeing SB’s remark @ 7, I realized that my problem was with the term, “spotted”; a more operative term would be “found”. It occurred to me that by the time of his arrest, Swartz was a known entity, as part of a larger community of undesirables called hackers, especially a group around the “Boston area” somehow associated with Wikileaks.

When I was in that area, it was 1970, and there was a large unorganized anti-war effort underway. The Nixon government was doing all it could to infiltrate and counter that movement’s effectiveness. While massive senseless wars still go on, there are other issues being resisted as well, including efforts to undermine what seems to be called “the security state”, among which “hackers” are a particular problem. When Arron Swartz’s image appeared in that closet, that made him wanted on a trespassing charge, and vulnerable to arrest and intimidation. They definitely knew who AS was and what he looked like.

@Saul Tannenbaum: I seem to be writing while are posting. Thanks for the correction and the photos (and the memories). I do remember Jan of 1971, with Mass Ave looking like that, and stand corrected as to the traffic scene that would been extant. And are Harvard and MIT really two whole miles apart; if so memory must be some sort of wormhole that distorts time and space.

That Pickett was present at the arrest is not news. The MIT cop stopped and detained Swartz and then Picket and at least one more responded to the scene of the detention. And it was actually USSS Agent Pickett that effected the formal arrest by handcuffing Swartz. I have known this for nearly a week now, though cannot remember from what document.

This NY Times article is the first I read about MIT being concerned about “the Chinese” showing up briefly in the netbook.
Is this a red herring ? especially since the next sentence goes on to state hackers from China probing the network are a commonplace occurrence.

The NY Times article mentions that Swartz has many friends at MIT and that Swartz’s father was associated with the MIT Media Lab. So is Joi Ito– a former colleague of Aaron Swartz from the Creative Commons days. Ito is the Director of the MIT Media Lab. No mention that Aaron was in contact with Ito, however.

@Saul Tannenbaum: Looking at the NYT timeline, I’m having second thoughts that the involvement of the SS was simply low level local cop butt covering and brown nosing.

Look at how fast Pickett was on site, a little over an hour from the time the MIT cops were notified. From the prior story, MIT cops called Cambridge, and they called Pickett. Seems like an awfully quick response if that was the first contact. If Pickett wasn’t already engaged, what in a low level hack of academic papers would have gotten him off his butt and out on crappy roads? What’s it look like to you?

@pdaly: Probably. That had come out earlier in the discussion of the data collection from his computer. I think the govt and MIT have used it after the fact to excuse their access of data on his laptop.

Rereading the report, I had forgotten that a Boston Police officer was also present in the wiring closet.

Lastly, the arrest report states that after Pierce spotted Swartz, he summoned Pickett and a Cambridge police officer. Swartz jumped off his bike and ran down Lee St (where he lived), where he was cuffed by Pickett.

That sequence is a bit odd. Where did Pickett come from that he could be there in time to pursue Swartz so quickly? It wouldn’t surprise me to learn that they were all driving around the vicinity looking for Swartz of whom, by that time, they had a good desscription.

@emptywheel: The new security measures were planned and approved in the fall, before Aaron was caught. That means that the staff was evaluating equipment and systems between then and implementation. And you evaluate that stuff by actually using it in your environment. (If you’re MIT, any vendor is going to bend over backwards to get selected so they’ll give you anything you ask for, pretty much.)

This is another explanation for the special tools and even the security expert, someone a vendor sent to help MIT evaluate some system which they tried out in a real world exercise.

@pdaly: The thing about Chinese hacker activity is that, until you look, you never know what it is.

One of the weirder moments of my professional life was a university-oriented IT conference at the welcoming reception where a guy, who said he was from a security vendor, sat down with a bunch of us and started talking about how Chinese hackers were silently stealing the intellectual property of our universities and we didn’t know it and that if we didn’t get our act together we’d wake up one day slaves to the Chinese. I’m exaggerating the slaves part, it was that sort of paranoid rant.

The thing about it is: if you’re being silently stolen from, how would you know?

So, you see that stuff and you ask yourself: signal or noise? Standard probes for vulnerabilties or active attack?

If you’re savvy, even if it’s noise and not an attack, you, as Marcy notes, keep it in your back pocket for justification of something. Because “we’re under attack by Chinese hackers” is a great motivator.

Looks like the campus buildings end between Sidney and Brookline Streets going west on Mass Ave. It’s another 8 streets going west on Mass Ave (towards Harvard, away from MIT) until you reach Lee Street.

But campus police can and do leave campus and are “deputized” by the county to have jurisdiction for “adjacent areas”. But it’s not uncommon here to have campus police arrrest someone off campus for a crime committed on campus.

Update: And there are buildings further up Mass Ave, like a dorm and the MIT Museum. But those aren’t part of the contiguous campus.

@emptywheel: It comes from the arrest report. Early reports here, if memory serves, used the address on the police report – the address at which Aaron was apprehended – as his home address. Re-reading the police report, it doesn’t say anything this being his home.

My vote’s on a cellphone used as a tracking device — do we know that Swartz did/didn’t use one, even a disposable one?

And Chinese hackers? Give me an effing break — this is an excuse. The amount of crap China took with Operation Aurora using exploits in documents generated with common commercial software, dispersed by Gmail is huge. And Google told the public about it, not DHS, SS, or any of the targeted corporate entities. Now that we all know conclusively that China followed through on the cyberspace “outreach” efforts PRC insiders warned us about years ago, China can be blamed as a universal bogeyman.

@emptywheel: He was probably rotating disposables if he had that many. All it would take is a sniffer looking for cellphones used regularly around a particular address, then a later match.

Keep in mind, too, the case where a car had a tracking device attached to it by law enforcement in the driveway of the subject’s home. I think the court didn’t rule that was illegal until this past year…were they using the same techniques?

Michael Sussmann, a former fed. prosecutor said MIT had to assume any hackers were “the Chinese” http://nyti.ms/WAKQh9

What did MIT already know about the hack by the time they called in the Secret Service?

They knew the closet and the laptop. They also knew the target of the hack was JSTOR. They probably also knew that 99.9% of the coms were between the laptop and JSTOR and they also had the means to look at the packets coming from off network to the laptop, and knew there was no evidence of remote operation from China or network file transfers.

Still, the person placing the laptop could have been an agent from China but there’s no reason MIT had to assume it. When assuming the worst case scenario (which seems to be what Michael Sussmann is implying), you do so because you cannot assess the risk. The risk to that point was copying scholarly articles to the laptop. Did they know that?

Is Michael Sussmann bs rhetoric covering tracks, or does the (secret service and) justice department act out of irrational fear?

@Saul Tannenbaum: @23 Thanks, makes sense. Still smells like there was more going on than what we’ve seen. Thanks for the map too, it helps.

Swartz sure had the Feds attention with his FOIAs and history. It’s hard to shake the thought that this may have been driving from the Feds down, with national technical means targeting Swartz already deployed. But, regardless of who initiated what, Swartz gave them a gold plated opportunity to hurt him, and they took it.

Looking at a firewall log is sobering. Surprising how many not very nice people there are in the world.